留言板

  1. 主页
  2. Portal
  3. Admin access to user security reminder query?

Admin access to user security reminder query?

Rob Hall,修改在10 年前。

Admin access to user security reminder query?

Junior Member 帖子: 47 加入日期: 11-11-30 最近的帖子
I have a client need to be able to view and change a user's security reminder query or answer for Customer Support. I don't see any means through the Control Panel to access a user's security question/answer values for their password (I see where the password can be changed, though).

I know this information can programmatically be updated using UserLocalServiceUtil.updateReminderQuery, but I don't see a means for an administrator to view or edit these values through Control Panel.
thumbnail
David H Nebinger,修改在10 年前。

RE: Admin access to user security reminder query?

Liferay Legend 帖子: 14919 加入日期: 06-9-2 最近的帖子
Well, the question/answer is part of self-service password reset; it's not really meant to be an administrator's tool. For example, how is my admin supposed to know what my father's middle name is?
Rob Hall,修改在10 年前。

RE: Admin access to user security reminder query?

Junior Member 帖子: 47 加入日期: 11-11-30 最近的帖子
David H Nebinger:
Well, the question/answer is part of self-service password reset; it's not really meant to be an administrator's tool. For example, how is my admin supposed to know what my father's middle name is?


Problem is the client's call center is getting inundated with calls from customers that can't remember their answers...seems like I may need to build a custom portlet for the an administrator to retrieve these answers from the database.
thumbnail
David H Nebinger,修改在10 年前。

RE: Admin access to user security reminder query?

Liferay Legend 帖子: 14919 加入日期: 06-9-2 最近的帖子
Doesn't that mean the folks are failing at handling password resets on their own? It's a failure of the self service, not that the questions aren't visible to admins or anything like that.

The user should be setting the question/answer the first time they log in. If you cannot remember your father's middle name, etc., then I think you have bigger problems than just forgetting your password...

Did you guys choose some other sort of reminder questions, things that maybe aren't as static as father's middle name?

So here's the thing. I call the client's call center and pretend to be you. "Sorry, I don't remember what I put in for my father's middle name" I tell them, so the admin does what, looks it up and then gives it to me? Or does he just go ahead and resets your password to whatever I tell him to use? That's great, because now I've just taken over your account and can do with it whatever I like.

The kind of thing you want to do is kind of how security breaches happen...